CVE-2023-49398

JFinalCMS v5.0.0 contains a Cross-Site Request Forgery (CSRF) vulnerability in the /admin/category/delete endpoint. The application fails to implement anti-CSRF tokens, allowing an attacker to forge requests on behalf of an authenticated administrator [1][2].

To exploit this, an attacker must trick an authenticated admin into visiting a malicious page while an active session exists. The provided proof-of-concept (PoC) uses a simple HTML form that submits a POST request to delete a category with a specific ID [2]. No special privileges beyond an admin session are required; the attacker only needs to know the target endpoint and parameter.

Successful exploitation enables the attacker to delete arbitrary categories without the admin's knowledge or consent. This can lead to loss of important content and disrupt the CMS's content management workflow. The vulnerability does not allow authentication bypass, but it abuses the trust placed in the admin's browser session [1][2].

As of the publication date, no official patch has been released. Administrators should implement generic CSRF defenses, such as using anti-CSRF tokens or same-site cookies, until a vendor update is available [1].